CyberArk PAS
Use the CyberArk Privileged Access Security (PAS) solution to manage users, safes, vaults, and accounts from Cortex XSOAR.
#
Configure CyberArkPAS on Cortex XSOAR- Navigate to Settings > Integrations > Servers & Services.
- Search for CyberArkPAS.
- Click Add instance to create and configure a new integration instance.
Parameter | Description | Required |
---|---|---|
url | Server URL (e.g., https://example.net\) | True |
credentials | Username | True |
isFetch | Fetch incidents | False |
max_fetch | Max fetch | False |
fetch_time | First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year) | False |
score | CyberArk PAS score (0.0-100.0) | False |
incidentType | Incident type | False |
insecure | Trust any certificate (not secure) | False |
proxy | Use system proxy settings | False |
- Click Test to validate the URLs, token, and connection.
#
CommandsYou can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
cyberark-pas-user-addAdd a new user to the vault.
#
Base Commandcyberark-pas-user-add
#
InputArgument Name | Description | Required |
---|---|---|
username | The name of the user. | Required |
user_type | The user type according to the license. | Optional |
non_authorized_interfaces | The CyberArkPAS interfaces that this user is not authorized to use, e.g., - "PSM", "PSMP" | Optional |
location | The location in the vault where the user will be created. Must begin with "\". If just "\", the vault is in the root. | Optional |
expiry_date | The date when the user credentials expire. Must be in the following timestamp format: (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year). | Optional |
password | The password that the user will use to log in for the first time. | Required |
change_password_on_the_next_logon | Whether or not the user must change the user password from the second log in onward. Can be 'true' or 'false'. Default is 'true'. | Optional |
password_never_expires | Whether the user’s password will not expire unless they decide to change it. Can be 'true' or 'false'. Default is 'false'. | Optional |
vault_authorization | A comma-separated list of user permissions. Valid values are: AuditUsers, AddUpdateUsers, ResetUsersPasswords, ActivateUsers, AddNetworkAreas, ManageDirectoryMapping, ManageServerFileCategories, BackupAllSafes, RestoreAllSafes e.g., AddSafes,AuditUsers | Optional |
description | Notes and comments. | Optional |
The email address of the user. | Optional | |
first_name | The first name of the user. | Optional |
last_name | The last name of the user. | Optional |
enable_user | Whether the user will be enabled upon creation. Can be 'true' or 'false'. Default is 'true'. | Optional |
distinguished_name | The distinguished name of the user. The usage is for PKI authentication. This will match the certificate subject name or domain name. | Optional |
profession | The profession of the user. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CyberArkPAS.Users.id | Number | The unique ID of the user. |
CyberArkPAS.Users.authenticationMethod | String | The authentication method of the user. |
CyberArkPAS.Users.changePassOnNextLogon | Boolean | Whether or not the user must change the user password. |
CyberArkPAS.Users.description | String | Description of the user. |
CyberArkPAS.Users.enableUser | Boolean | Whether or not the user is enabled. |
CyberArkPAS.Users.expiryDate | Number | The expiry date of the user credentials. |
CyberArkPAS.Users.internet.businessEmail | String | The email address of the user. |
CyberArkPAS.Users.lastSuccessfulLoginDate | Number | The last successful login date of the user. |
CyberArkPAS.Users.location | String | The location in the vault where the user will be created. |
CyberArkPAS.Users.personalDetails.profession | String | The profession of the user. |
CyberArkPAS.Users.suspended | Boolean | Whether or not the user is suspended. |
CyberArkPAS.Users.userType | String | The type of the user. |
CyberArkPAS.Users.username | String | The name of the user. |
CyberArkPAS.Users.vaultAuthorization | String | The permissions of the user. |
#
Command Example!cyberark-pas-user-add username="TestUser" password="12345Aa" change_password_on_the_next_logon=true description="new user for test" email="usertest@test.com" enable_user=true first_name="user" last_name="test" profession="testing integrations"
#
Context Example#
Human Readable Output#
Results
authenticationMethod businessAddress changePassOnNextLogon componentUser description distinguishedName enableUser expiryDate groupsMembership id internet lastSuccessfulLoginDate location passwordNeverExpires personalDetails phones source suspended unAuthorizedInterfaces userType username vaultAuthorization AuthTypePass workStreet:
workCity:
workState:
workZip:
workCountry:true false new user for test true -62135578800 150 homePage:
homeEmail:
businessEmail: usertest@test.com
otherEmail:1597830302 \ false street:
city:
state:
zip:
country:
title:
organization:
department:
profession: testing integrations
firstName: user
middleName:
lastName: testhomeNumber:
businessNumber:
cellularNumber:
faxNumber:
pagerNumber:CyberArk false EPVUser TestUser
#
cyberark-pas-user-updateUpdate an existing vault user.
#
Base Commandcyberark-pas-user-update
#
InputArgument Name | Description | Required |
---|---|---|
username | The name of the user. | Optional |
user_type | User type according to the license. | Optional |
non_authorized_interfaces | The CyberArkPAS interfaces that this user is not authorized to use, e.g., "PSM", "PSMP" | Optional |
location | The location in the vault where the user will be created. Must begin with "\". If just "\", the vault is in the root. | Optional |
expiry_date | The date when the user expires. Must be in the following timestamp format: (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year). | Optional |
change_password_on_the_next_logon | Whether or not the user must change their password from the second log on onward. Can be 'true' or 'false'. Default is 'true'. | Optional |
password_never_expires | Whether the user’s password will not expire unless they decide to change it. Can be 'true' or 'false'. Default is 'false'. | Optional |
vault_authorization | A comma-separated list of user permissions. Valid values are: AddSafes, AuditUsers, AddUpdateUsers, ResetUsersPasswords, ActivateUsers, AddNetworkAreas, ManageDirectoryMapping, ManageServerFileCategories, BackupAllSafes, RestoreAllSafes e.g., AddSafes,AuditUsers | Optional |
description | Notes and comments. | Optional |
The email addresses of the user. | Optional | |
first_name | The first name of the user. | Optional |
last_name | The last name of the user. | Optional |
enable_user | Whether the user will be enabled upon creation. Can be 'true' or 'false'. Default is 'true'. | Optional |
distinguished_name | The distinguished name of the user. The usage is for PKI authentication. This will match the certificate subject name or domain name. | Optional |
profession | The profession of the user. | Optional |
user_id | The ID of the user to update. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CyberArkPAS.Users.id | Number | The unique ID of the user. |
CyberArkPAS.Users.authenticationMethod | String | The authentication method for the user. |
CyberArkPAS.Users.changePassOnNextLogon | Boolean | Whether or not the user must change the user password. |
CyberArkPAS.Users.description | String | Description of the user. |
CyberArkPAS.Users.enableUser | Boolean | Whether or not the user is enabled. |
CyberArkPAS.Users.expiryDate | Number | The expiry date of the user. |
CyberArkPAS.Users.internet.businessEmail | String | The email address of the user. |
CyberArkPAS.Users.lastSuccessfulLoginDate | Number | The last successful login date of the user. |
CyberArkPAS.Users.location | String | The location in the vault where the user will be created. |
CyberArkPAS.Users.personalDetails.profession | String | The profession of the user. |
CyberArkPAS.Users.suspended | Boolean | Whether or not the user is suspended. |
CyberArkPAS.Users.userType | String | The type of the user. |
CyberArkPAS.Users.username | String | The name of the user. |
CyberArkPAS.Users.vaultAuthorization | String | The permissions of the user. |
#
Command Example!cyberark-pas-user-update user_id=150 change_password_on_the_next_logon=true description="updated description" email="update@test.com" first_name="test1" last_name="updated-name" username="TestUser1" profession="test1"
#
Context Example#
Human Readable Output#
Results
authenticationMethod businessAddress changePassOnNextLogon componentUser description distinguishedName enableUser expiryDate groupsMembership id internet lastSuccessfulLoginDate location passwordNeverExpires personalDetails phones source suspended unAuthorizedInterfaces userType username vaultAuthorization AuthTypePass workStreet:
workCity:
workState:
workZip:
workCountry:true false updated description true -62135578800 150 homePage:
homeEmail:
businessEmail: update@test.com
otherEmail:1597830302 \ false street:
city:
state:
zip:
country:
title:
organization:
department:
profession: test1
firstName: test1
middleName:
lastName: updated-namehomeNumber:
businessNumber:
cellularNumber:
faxNumber:
pagerNumber:CyberArk false EPVUser TestUser1
#
cyberark-pas-user-deleteDelete a specific user in the vault.
#
Base Commandcyberark-pas-user-delete
#
InputArgument Name | Description | Required |
---|---|---|
user_id | The ID of the user to delete. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CyberArkPAS.Users.Deleted | Boolean | Whether the user was deleted. |
#
Command Example!cyberark-pas-user-delete user_id=150
#
Context Example#
Human Readable OutputUser 150 was deleted
#
cyberark-pas-users-listReturn a list of all existing users in the vault that meet the filter and search criteria.
#
Base Commandcyberark-pas-users-list
#
InputArgument Name | Description | Required |
---|---|---|
filter | Retrieve users using filters. Valid values: userType, componentUser. | Optional |
search | Search by the following values: username, first name, last name. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CyberArkPAS.Users.id | Number | The unique IDs of the users. |
CyberArkPAS.Users.authenticationMethod | String | The authentication method of the user. |
CyberArkPAS.Users.changePassOnNextLogon | Boolean | Whether or not the users must change their password. |
CyberArkPAS.Users.description | String | Descriptions of the users. |
CyberArkPAS.Users.enableUser | Boolean | Whether or not the users are enabled. |
CyberArkPAS.Users.expiryDate | Number | The expiry dates of the users. |
CyberArkPAS.Users.internet.businessEmail | String | The email addresses of the users. |
CyberArkPAS.Users.lastSuccessfulLoginDate | Number | The last successful login dates of the users. |
CyberArkPAS.Users.location | String | The locations in the vault where the users were created. |
CyberArkPAS.Users.personalDetails.profession | String | The professions of the users. |
CyberArkPAS.Users.suspended | Boolean | Whether or not the users are suspended. |
CyberArkPAS.Users.userType | String | The types of the users. |
CyberArkPAS.Users.username | String | The names of the users. |
CyberArkPAS.Users.vaultAuthorization | String | The permissions of the users. |
#
Command Example!cyberark-pas-users-list
#
Context Example#
Human Readable Output#
There are 2 users
componentUser id location personalDetails source userType username vaultAuthorization false 2 \ firstName:
middleName:
lastName:CyberArk Built-InAdmins Administrator AddUpdateUsers,
AddSafes,
AddNetworkAreas,
ManageDirectoryMapping,
ManageServerFileCategories,
AuditUsers,
BackupAllSafes,
RestoreAllSafes,
ResetUsersPasswords,
ActivateUsersfalse 3 \ firstName:
middleName:
lastName:CyberArk Built-InAdmins Auditor AuditUsers
#
cyberark-pas-user-activateActivate an existing vault user who was suspended after entering incorrect credentials multiple times. Uses the V1 of the API and may change in the future.
#
Base Commandcyberark-pas-user-activate
#
InputArgument Name | Description | Required |
---|---|---|
user_id | The ID of the user to activate. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!cyberark-pas-user-activate user_id=150
#
Human Readable OutputUser 150 was activated
#
cyberark-pas-safes-listReturn information about all of the user’s safes in the vault.
#
Base Commandcyberark-pas-safes-list
#
InputThere are no input arguments for this command.
#
Context OutputPath | Type | Description |
---|---|---|
CyberArkPAS.Safes.SafeName | String | The names of the safes. |
CyberArkPAS.Safes.Description | String | The descriptions of the safes. |
CyberArkPAS.Safes.Location | String | The locations of the safes. |
CyberArkPAS.Safes.ManagingCPM | String | The name of the Central Policy Manager (CPM) user who will manage the safes. |
CyberArkPAS.Safes.NumberOfDaysRetention | Number | The number of retained versions of every password that is stored in the safes. |
CyberArkPAS.Safes.NumberOfVersionsRetention | Number | The number of days for which password versions are saved in the safes. |
CyberArkPAS.Safes.OLACEnabled | Boolean | Whether or not to enable Object Level Access Control (OLAC) for the safes. |
#
Command Example!cyberark-pas-safes-list
#
Context Example#
Human Readable Output#
There are 3 safes
Description Location SafeName SafeUrlId \ Internal Internal \ Notification Notification \ Reports Reports
#
cyberark-pas-safe-get-by-nameReturn information about a specific safe in the vault.
#
Base Commandcyberark-pas-safe-get-by-name
#
InputArgument Name | Description | Required |
---|---|---|
safe_name | The name of the safe about which information is returned. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CyberArkPAS.Safes.SafeName | String | The name of the safe. |
CyberArkPAS.Safes.Description | String | The description of the safe. |
CyberArkPAS.Safes.Location | String | The location of the safe. |
CyberArkPAS.Safes.ManagingCPM | String | The name of the Central Policy Manager (CPM) user who will manage the safe. |
CyberArkPAS.Safes.NumberOfDaysRetention | Number | The number of retained versions of every password that is stored in the safe. |
CyberArkPAS.Safes.NumberOfVersionsRetention | Number | The number of days for which password versions are saved in the safe. |
CyberArkPAS.Safes.OLACEnabled | Boolean | Whether or not to enable Object Level Access Control (OLAC) for the safe. |
#
Command Example!cyberark-pas-safe-get-by-name safe_name=UpdatedName1
#
Context Example#
Human Readable Output#
Results
AutoPurgeEnabled Description Location ManagingCPM NumberOfDaysRetention NumberOfVersionsRetention OLACEnabled SafeName false UpdatedSafe \ 150 true UpdatedName1
#
cyberark-pas-safe-addAdd a new safe to the vault.
#
Base Commandcyberark-pas-safe-add
#
InputArgument Name | Description | Required |
---|---|---|
safe_name | Name of a safe to create. | Required |
description | Description of the new safe. | Optional |
OLAC_enabled | Whether or not to enable Object Level Access Control (OLAC) for the new safe. Valid values are: 'true' or 'false'. Default is 'true'. | Optional |
managing_cpm | The name of the Central Policy Manager (CPM) user who will manage the new safe. | Optional |
number_of_versions_retention | The number of retained versions of every password that is stored in the safe. | Optional |
number_of_days_retention | The number of days for which password versions are saved in the safe. | Optional |
location | The location of the new safe. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CyberArkPAS.Safes.SafeName | String | The name of the safe. |
CyberArkPAS.Safes.Description | String | The description of the safe. |
CyberArkPAS.Safes.Location | String | The location of the safe. |
CyberArkPAS.Safes.ManagingCPM | String | The name of the Central Policy Manager (CPM) user who will manage the safe. |
CyberArkPAS.Safes.NumberOfDaysRetention | Number | The number of retained versions of every password that is stored in the safe. |
CyberArkPAS.Safes.NumberOfVersionsRetention | Number | The number of days for which password versions are saved in the safe. |
CyberArkPAS.Safes.OLACEnabled | Boolean | Whether or not to enable Object Level Access Control (OLAC) for the safe. |
#
Command Example!cyberark-pas-safe-add safe_name="TestSafe1" description="safe for tests" number_of_days_retention=100
#
Context Example#
Human Readable Output#
Results
AutoPurgeEnabled Description Location ManagingCPM NumberOfDaysRetention NumberOfVersionsRetention OLACEnabled SafeName false safe for tests \ 100 true TestSafe1
#
cyberark-pas-safe-updateUpdate a single safe in the vault.
#
Base Commandcyberark-pas-safe-update
#
InputArgument Name | Description | Required |
---|---|---|
safe_name | The name of the safe that will be updated. | Required |
description | The description of the updated safe. | Optional |
OLAC_enabled | Whether or not to enable Object Level Access Control (OLAC) for the updated safe. Valid values are: 'true' or 'false'. Default is 'true'. | Optional |
managing_cpm | The name of the Central Policy Manager (CPM) user who will manage the updated safe. | Optional |
number_of_versions_retention | The number of retained versions of every password that is stored in the updated safe. | Optional |
number_of_days_retention | The number of days for which password versions are saved in the updated safe. | Optional |
safe_new_name | The new name of the safe. | Optional |
location | The location of the updated safe. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CyberArkPAS.Safes.SafeName | String | The name of the updated safe. |
CyberArkPAS.Safes.Description | String | The description of the updated safe. |
CyberArkPAS.Safes.Location | String | The location of the updated safe. |
CyberArkPAS.Safes.ManagingCPM | String | The name of the Central Policy Manager (CPM) user who will manage the safe. |
CyberArkPAS.Safes.NumberOfDaysRetention | Number | The number of retained versions of every password that is stored in the updated safe. |
CyberArkPAS.Safes.NumberOfVersionsRetention | Number | The number of days for which password versions are saved in the updated safe. |
CyberArkPAS.Safes.OLACEnabled | Boolean | Whether or not to enable Object Level Access Control (OLAC) for the updated safe. |
#
Command Example!cyberark-pas-safe-update safe_name=TestSafe1 safe_new_name=UpdatedName1 description=UpdatedSafe number_of_days_retention=150
#
Context Example#
Human Readable Output#
Results
AutoPurgeEnabled Description Location ManagingCPM NumberOfDaysRetention NumberOfVersionsRetention OLACEnabled SafeName false UpdatedSafe \ 150 true UpdatedName1
#
cyberark-pas-safe-deleteDelete a safe from the vault.
#
Base Commandcyberark-pas-safe-delete
#
InputArgument Name | Description | Required |
---|---|---|
safe_name | The name of the safe that will be deleted. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CyberArkPAS.Safes.Deleted | Boolean | Whether the safe was deleted. |
#
Command Example!cyberark-pas-safe-delete safe_name=UpdatedName1
#
Context Example#
Human Readable OutputSafe UpdatedName1 was deleted
#
cyberark-pas-safe-members-listReturn a list of the members of the safe.
#
Base Commandcyberark-pas-safe-members-list
#
InputArgument Name | Description | Required |
---|---|---|
safe_name | The name of the safe whose safe members will be listed. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CyberArkPAS.Safes.Members.MemberName | String | The names of the safe members. |
CyberArkPAS.Safes.Members.MembershipExpirationDate | Number | The expiration dates of the safe members. |
CyberArkPAS.Safes.Members.Permissions | Unknown | The permissions of the safe members. |
CyberArkPAS.Safes.Members.SearchIn | String | The vault or domain where the users or groups was found. |
#
Command Example!cyberark-pas-safe-members-list safe_name=UpdatedName1
#
Context Example#
Human Readable Output#
There are 2 safe members for UpdatedName1
IsExpiredMembershipEnable IsPredefinedUser MemberName MemberType MembershipExpirationDate Permissions false true Administrator User UseAccounts: true
RetrieveAccounts: true
ListAccounts: true
AddAccounts: true
UpdateAccountContent: true
UpdateAccountProperties: true
InitiateCPMAccountManagementOperations: true
SpecifyNextAccountContent: true
RenameAccounts: true
DeleteAccounts: true
UnlockAccounts: true
ManageSafe: true
ManageSafeMembers: true
BackupSafe: true
ViewAuditLog: true
ViewSafeMembers: true
AccessWithoutConfirmation: true
CreateFolders: true
DeleteFolders: true
MoveAccountsAndFolders: true
RequestsAuthorizationLevel1: true
RequestsAuthorizationLevel2: falsefalse false TestUser1 User UseAccounts: true
RetrieveAccounts: false
ListAccounts: false
AddAccounts: false
UpdateAccountContent: false
UpdateAccountProperties: false
InitiateCPMAccountManagementOperations: false
SpecifyNextAccountContent: false
RenameAccounts: false
DeleteAccounts: false
UnlockAccounts: false
ManageSafe: false
ManageSafeMembers: false
BackupSafe: false
ViewAuditLog: false
ViewSafeMembers: false
AccessWithoutConfirmation: false
CreateFolders: false
DeleteFolders: false
MoveAccountsAndFolders: false
RequestsAuthorizationLevel1: false
RequestsAuthorizationLevel2: false
#
cyberark-pas-safe-member-addAdd an existing user as a safe member. Uses the V1 of the API and may change in the future.
#
Base Commandcyberark-pas-safe-member-add
#
InputArgument Name | Description | Required |
---|---|---|
member_name | The name of the user to add as a safe member. | Required |
search_in | Search for the member in the vault or domain. | Optional |
membership_expiration_date | The membership expiration date in the format MM\DD\YY. Leave empty if there is no expiration date. | Optional |
permissions | The user’s permissions in the safe. Valid values: UseAccounts, RetrieveAccounts, ListAccounts, AddAccounts, UpdateAccountContent, UpdateAccountProperties, InitiateCPMAccountManagementOperations, InitiateCPMAccountManagementOperations, SpecifyNextAccountContent, RenameAccounts, DeleteAccounts, UnlockAccounts, ManageSafe, ManageSafeMembers, BackupSafe, ViewAuditLog, ViewAuditLog, ViewSafeMembers, AccessWithoutConfirmation, CreateFolders, DeleteFolders, MoveAccountsAndFolders e.g., UseAccounts,RetrieveAccounts | Optional |
safe_name | The name of the safe to add a member to. | Required |
requests_authorization_level | The request authorization levels. 0 – cannot authorize 1 – authorization level 1 2 – authorization level 2 Default is '0'. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CyberArkPAS.Safes.Members.MemberName | String | The name of the safe member. |
CyberArkPAS.Safes.Members.MembershipExpirationDate | Number | The expiration date of the safe member. |
CyberArkPAS.Safes.Members.Permissions | Unknown | The permissions of the safe member. |
CyberArkPAS.Safes.Members.SearchIn | String | The vault or domain where the user or group was found. |
#
Command Example!cyberark-pas-safe-member-add member_name="TestUser1" safe_name="UpdatedName1"
#
Context Example#
Human Readable Output#
Results
MemberName MembershipExpirationDate Permissions SearchIn TestUser1 {'Key': 'UseAccounts', 'Value': False},
{'Key': 'RetrieveAccounts', 'Value': False},
{'Key': 'ListAccounts', 'Value': False},
{'Key': 'AddAccounts', 'Value': False},
{'Key': 'UpdateAccountContent', 'Value': False},
{'Key': 'UpdateAccountProperties', 'Value': False},
{'Key': 'InitiateCPMAccountManagementOperations', 'Value': False},
{'Key': 'SpecifyNextAccountContent', 'Value': False},
{'Key': 'RenameAccounts', 'Value': False},
{'Key': 'DeleteAccounts', 'Value': False},
{'Key': 'UnlockAccounts', 'Value': False},
{'Key': 'ManageSafe', 'Value': False},
{'Key': 'ManageSafeMembers', 'Value': False},
{'Key': 'BackupSafe', 'Value': False},
{'Key': 'ViewAuditLog', 'Value': False},
{'Key': 'ViewSafeMembers', 'Value': False},
{'Key': 'AccessWithoutConfirmation', 'Value': False},
{'Key': 'CreateFolders', 'Value': False},
{'Key': 'DeleteFolders', 'Value': False},
{'Key': 'MoveAccountsAndFolders', 'Value': False},
{'Key': 'RequestsAuthorizationLevel', 'Value': 0}vault
#
cyberark-pas-safe-member-updateUpdate an existing safe member. Uses the V1 of the API and may change in the future.
#
Base Commandcyberark-pas-safe-member-update
#
InputArgument Name | Description | Required |
---|---|---|
member_name | The member name that will be updated. | Required |
membership_expiration_date | The membership expiration date in the format MM\DD\YY. Leave empty if there is no expiration date. | Optional |
permissions | The user’s permissions in the safe. Valid values are: UseAccounts, RetrieveAccounts, ListAccounts, AddAccounts, UpdateAccountContent, UpdateAccountProperties, InitiateCPMAccountManagementOperations, InitiateCPMAccountManagementOperations, SpecifyNextAccountContent, RenameAccounts, DeleteAccounts, UnlockAccounts, ManageSafe, ManageSafeMembers, BackupSafe, ViewAuditLog, ViewAuditLog, ViewSafeMembers, RequestsAuthorizationLevel, AccessWithoutConfirmation, CreateFolders, DeleteFolders, MoveAccountsAndFolders e.g., UseAccounts,RetrieveAccounts | Optional |
safe_name | The name of the safe to which the safe member belongs. | Required |
requests_authorization_level | Request authorization levels. 0 – cannot authorize 1 – authorization level 1 2 – authorization level 2 Default is: '0'. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CyberArkPAS.Safes.Members.MemberName | String | The name of the safe member. |
CyberArkPAS.Safes.Members.MembershipExpirationDate | Number | The expiration date of the safe member. |
CyberArkPAS.Safes.Members.Permissions | Unknown | The permissions of the safe member. |
CyberArkPAS.Safes.Members.SearchIn | String | The vault or domain where the user or group was found. |
#
Command Example!cyberark-pas-safe-member-update member_name="TestUser1" safe_name="UpdatedName1" permissions=UseAccounts
#
Context Example#
Human Readable Output#
Results
MembershipExpirationDate Permissions {'Key': 'UseAccounts', 'Value': True},
{'Key': 'RetrieveAccounts', 'Value': False},
{'Key': 'ListAccounts', 'Value': False},
{'Key': 'AddAccounts', 'Value': False},
{'Key': 'UpdateAccountContent', 'Value': False},
{'Key': 'UpdateAccountProperties', 'Value': False},
{'Key': 'InitiateCPMAccountManagementOperations', 'Value': False},
{'Key': 'SpecifyNextAccountContent', 'Value': False},
{'Key': 'RenameAccounts', 'Value': False},
{'Key': 'DeleteAccounts', 'Value': False},
{'Key': 'UnlockAccounts', 'Value': False},
{'Key': 'ManageSafe', 'Value': False},
{'Key': 'ManageSafeMembers', 'Value': False},
{'Key': 'BackupSafe', 'Value': False},
{'Key': 'ViewAuditLog', 'Value': False},
{'Key': 'ViewSafeMembers', 'Value': False},
{'Key': 'AccessWithoutConfirmation', 'Value': False},
{'Key': 'CreateFolders', 'Value': False},
{'Key': 'DeleteFolders', 'Value': False},
{'Key': 'MoveAccountsAndFolders', 'Value': False},
{'Key': 'RequestsAuthorizationLevel', 'Value': 0}
#
cyberark-pas-safe-member-deleteRemove a specific member from a safe. Uses the V1 of the API and may change in the future.
#
Base Commandcyberark-pas-safe-member-delete
#
InputArgument Name | Description | Required |
---|---|---|
safe_name | The name of the safe to delete a member from. | Required |
member_name | The name of the safe member to delete from the safe’s list of members. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CyberArkPAS.Safes.Members.Deleted | Boolean | Whether the safe member was deleted. |
#
Command Example!cyberark-pas-safe-member-delete member_name=TestUser1 safe_name=UpdatedName1
#
Context Example#
Human Readable OutputMember TestUser1 was deleted from UpdatedName1 safe
#
cyberark-pas-account-addAdd a new privileged account or SSH key to the vault.
#
Base Commandcyberark-pas-account-add
#
InputArgument Name | Description | Required |
---|---|---|
account_name | The name of the account. | Required |
address | The name or address of the machine where the account will be used. | Required |
platform_id | The platform assigned to this account. | Required |
safe_name | The name of the safe where the account will be created. | Required |
secret_type | The type of password. Valid values are: 'password', 'key'. Default is 'password'. | Optional |
username | The The user name of the account. | Required |
password | The password that the user will use to log on for the first time. | Required |
properties | Object containing key-value pairs to associate with the account, as defined by the account platform. e.g., {"Location": "IT", "OwnerName": "MSSPAdmin"} | Optional |
automatic_management_enabled | Whether the account secret is automatically managed by the Central Policy Manager (CPM). Can be 'true' or 'false'. Default is 'true'. | Optional |
manual_management_reason | The reason for disabling automatic secret management. | Optional |
remote_machines | List of remote machines, separated by semicolons. e.g., server1.cyberark.com;server2.cyberark.com | Optional |
access_restricted_to_remote_machines | Whether or not to restrict access to specified remote machines only. Can be 'true' or 'false'. Default is: 'true'. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CyberArkPAS.Accounts.id | String | The unique ID of the account. |
CyberArkPAS.Accounts.categoryModificationTime | Number | The last modified date of the account. |
CyberArkPAS.Accounts.createdTime | Number | The date the account was created. |
CyberArkPAS.Accounts.name | String | The name of the account. |
CyberArkPAS.Accounts.platformId | String | The platform assigned to this account. |
CyberArkPAS.Accounts.safeName | String | The safe where the account is created. |
CyberArkPAS.Accounts.secretManagement | String | Whether the account secret is automatically managed by the CPM. |
CyberArkPAS.Accounts.secretType | String | The type of password. |
CyberArkPAS.Accounts.userName | String | The name of the account user. |
CyberArkPAS.Accounts.address | String | The name or address of the machine where the account will be used. |
#
Command Example!cyberark-pas-account-add safe_name=TestSafe1 account_name=TestAccount1 address=/ password=12345Aa platform_id=WinServerLocal username=TestUser
#
Context Example#
Human Readable Output#
Results
address categoryModificationTime createdTime id name platformId safeName secretManagement secretType userName / 1597863168 1597863168 89_3 TestAccount1 WinServerLocal TestSafe1 automaticManagementEnabled: true
lastModifiedTime: 1597848768password TestUser
#
cyberark-pas-account-deleteDelete a specific account in the vault.
#
Base Commandcyberark-pas-account-delete
#
InputArgument Name | Description | Required |
---|---|---|
account_id | The unique ID of the account to delete. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CyberArkPAS.Accounts.Deleted | Boolean | Whether the safe was deleted. |
#
Command Example!cyberark-pas-account-delete account_id= 89_3
#
Context Example#
Human Readable OutputAccount 89_3 was deleted
#
cyberark-pas-account-updateUpdate the details of an existing account.
#
Base Commandcyberark-pas-account-update
#
InputArgument Name | Description | Required |
---|---|---|
account_id | The unique ID of the account to update. | Required |
account_name | The name of the account to update. | Optional |
address | The name or address of the machine where the account will be used. | Optional |
platform_id | The platform assigned to this account. | Optional |
username | The user name of the account. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CyberArkPAS.Accounts.id | String | The unique ID of the account. |
CyberArkPAS.Accounts.categoryModificationTime | Number | The last modified date of the account. |
CyberArkPAS.Accounts.createdTime | Number | The date the account was created. |
CyberArkPAS.Accounts.name | String | The name of the account. |
CyberArkPAS.Accounts.platformId | String | The platform assigned to this account. |
CyberArkPAS.Accounts.safeName | String | The safe where the account was created. |
CyberArkPAS.Accounts.secretManagement | String | Whether the account secret is automatically managed by the CPM. |
CyberArkPAS.Accounts.secretType | String | The type of password. |
CyberArkPAS.Accounts.userName | String | The user name of the account. |
CyberArkPAS.Accounts.address | String | The name or address of the machine where the account will be used. |
#
Command Example!cyberark-pas-account-update account_id= 89_3 account_name=NewName
#
Context Example#
Human Readable Output#
Results
address categoryModificationTime createdTime id name platformId safeName secretManagement secretType userName / 1597863168 1597863168 89_3 NewName WinServerLocal TestSafe1 automaticManagementEnabled: true
lastModifiedTime: 1597848768password TestUser
#
cyberark-pas-accounts-listReturn a list of all the accounts in the vault.
#
Base Commandcyberark-pas-accounts-list
#
InputArgument Name | Description | Required |
---|---|---|
search | List of keywords to search for in the accounts. Separated with a space, e.g,. Windows admin | Optional |
sort | Property or properties by which to sort the returned accounts. The properties are followed by a comma and then 'asc' (default) or 'desc' to control the sort direction, e.g., Windows,asc | Optional |
offset | The offset of the first account that is returned in the collection of results. Default is '0'. | Optional |
limit | Maximum number of accounts in the returned list. Default is '50'. | Optional |
filter | Search for accounts filtered by a specific safe, e.g., safeName eq 'mySafe'. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CyberArkPAS.Accounts.id | String | The unique IDs of the accounts. |
CyberArkPAS.Accounts.categoryModificationTime | Number | Last modified dates of the accounts. |
CyberArkPAS.Accounts.createdTime | Number | Date the account was created. |
CyberArkPAS.Accounts.name | String | The names of the accounts. |
CyberArkPAS.Accounts.platformId | String | The platforms assigned to these accounts. |
CyberArkPAS.Accounts.safeName | String | The safes where the accounts were created. |
CyberArkPAS.Accounts.secretManagement | String | Whether the accounts secrets were automatically managed by the CPM. |
CyberArkPAS.Accounts.secretType | String | The type of passwords. |
CyberArkPAS.Accounts.userName | String | The user names of the accounts. |
CyberArkPAS.Accounts.address | String | The names or addresses of the machine where the accounts are used. |
#
Command Example!cyberark-pas-accounts-list limit=2
#
Context Example#
Human Readable Output#
There are 2 accounts
address categoryModificationTime createdTime id name platformAccountProperties platformId safeName secretManagement secretType userName string 1594569595 1594573679 2_6 account1 Oracle VaultInternal automaticManagementEnabled: true
lastModifiedTime: 1594559279password string string 1583345933 1573127750 2_3 cybr WinDomain VaultInternal automaticManagementEnabled: false
manualManagementReason: NoReason
lastModifiedTime: 1573109750password vault
#
cyberark-pas-account-get-list-activityReturns the activities of a specific account that is identified by its account ID.
#
Base Commandcyberark-pas-account-get-list-activity
#
InputArgument Name | Description | Required |
---|---|---|
account_id | The ID of the account whose activities will be retrieved. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CyberArkPAS.Activities.Action | String | The activity that was performed. |
CyberArkPAS.Activities.ActionID | Number | The code identification of the specific activity. |
CyberArkPAS.Activities.Alert | Boolean | Whether or not the activity caused an alert. |
CyberArkPAS.Activities.ClientID | String | The name of the account. |
CyberArkPAS.Activities.Date | Number | The date the account was created. |
CyberArkPAS.Activities.MoreInfo | String | More information about the activity. |
CyberArkPAS.Activities.Reason | String | The reason given by the user for the activity. |
CyberArkPAS.Activities.User | String | The user who performed the activity. |
#
Command Example!cyberark-pas-account-get-list-activity account_id= 89_3
#
Context Example#
Human Readable Output#
Results
Action ActionID Alert ClientID Date MoreInfo Reason User Rename File 124 false 1 1597863265 NewName Administrator Add File Category 105 false 1 1597863168 CreationMethod Value=[ABC] Administrator
#
cyberark-pas-account-get-detailsReturns information for the specified account, identified by the account ID.
#
Base Commandcyberark-pas-account-get-details
#
InputArgument Name | Description | Required |
---|---|---|
account_id | The ID of the account for which to retrieve information. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CyberArkPAS.Accounts.id | String | The unique ID of the account. |
CyberArkPAS.Accounts.categoryModificationTime | Number | The date the account was last modified. |
CyberArkPAS.Accounts.createdTime | Number | The date the account was created. |
CyberArkPAS.Accounts.name | String | The name of the account. |
CyberArkPAS.Accounts.platformId | String | The platform assigned to this account. |
CyberArkPAS.Accounts.safeName | String | The safe where the account is created. |
CyberArkPAS.Accounts.secretManagement | String | Whether the account secret is automatically managed by the CPM. |
CyberArkPAS.Accounts.secretType | String | The type of password. |
CyberArkPAS.Accounts.userName | String | The name of the account user. |
CyberArkPAS.Accounts.address | String | The name or address of the machine where the account will be used. |
#
Command Example!cyberark-pas-account-get-details account_id=46_7
#
Context Example#
Human Readable Output#
Results
address categoryModificationTime createdTime id name platformAccountProperties platformId safeName secretManagement secretType userName address 1597581174 1595431869 46_7 Operating System-UnixSSH UseSudoOnReconcile: No
Tags: SSHUnixSSH Linux Accounts automaticManagementEnabled: true
status: success
lastModifiedTime: 1595417469
lastReconciledTime: 1576120341password user1
#
cyberark-pas-credentials-change-in-vault-onlyEnable users to set account credentials and change them in the vault.
#
Base Commandcyberark-pas-credentials-change-in-vault-only
#
InputArgument Name | Description | Required |
---|---|---|
account_id | The unique ID of the account. | Required |
new_credentials | The new account credentials that will be allocated to the account in the vault. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!cyberark-pas-credentials-change-in-vault-only account_id=89_4 new_credentials=1234Asw
#
Human Readable OutputThe password in the account 89_4 was changed
#
cyberark-pas-credentials-verifyMark an account for verification by the Central Policy Manager (CPM).
#
Base Commandcyberark-pas-credentials-verify
#
InputArgument Name | Description | Required |
---|---|---|
account_id | The unique ID of the account. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!cyberark-pas-credentials-verify account_id=89_4
#
Human Readable OutputThe account 89_4 was marked for verification by the CPM
#
cyberark-pas-credentials-reconcileMark an account for automatic reconciliation by the Central Policy Manager (CPM).
#
Base Commandcyberark-pas-credentials-reconcile
#
InputArgument Name | Description | Required |
---|---|---|
account_id | The unique ID of the account. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!cyberark-pas-credentials-reconcile account_id=89_4
#
Human Readable OutputThe account 89_4 was marked for automatic reconciliation by the CPM.
#
cyberark-pas-credentials-change-random-passwordMark an account for an immediate credentials change by the CPM to a new random value.
#
Base Commandcyberark-pas-credentials-change-random-password
#
InputArgument Name | Description | Required |
---|---|---|
account_id | The unique ID of the account. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!cyberark-pas-credentials-change-random-password account_id=89_4
#
Human Readable OutputThe password in the account 89_4 was changed
#
cyberark-pas-credentials-change-set-new-passwordEnable users to set the account's credentials to use for the next Central Policy Manager (CPM) change.
#
Base Commandcyberark-pas-credentials-change-set-new-password
#
InputArgument Name | Description | Required |
---|---|---|
account_id | The unique ID of the account. | Required |
new_credentials | The new account credentials that will be allocated to the account in the vault. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!cyberark-pas-credentials-change-set-new-password account_id=89_4
#
Human Readable OutputThe password in the account 89_4 was changed
#
cyberark-pas-security-events-getReturn all Privileged Threat Analytics (PTA) security events.
#
Base Commandcyberark-pas-security-events-get
#
InputArgument Name | Description | Required |
---|---|---|
start_time | The starting date to get the security events from. Must be in the following timestamp format: (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year). | Required |
limit | The number of events that will be shown, from newest to oldest. Default is '50'. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CyberArkPAS.SecurityEvents.id | Number | The unique ID of the security events. |
CyberArkPAS.SecurityEvents.additionalData | String | Additional data about the security events. |
CyberArkPAS.SecurityEvents.audits.createTime | Number | The time the security events were created. |
CyberArkPAS.SecurityEvents.lastUpdateTime | Number | The last update time of the security events. |
CyberArkPAS.SecurityEvents.mStatus | String | The status of the security events. |
CyberArkPAS.SecurityEvents.score | Number | The score of the security events. |
CyberArkPAS.SecurityEvents.type | String | The type of the security events. |
#
Command Example!cyberark-pas-security-events-get start_time="3 days" limit=2
#
Context Example#
Human Readable Output#
Results
additionalData audits createTime id lastUpdateTime mStatus score type station: 1.1.1.1
reason: ip
vault_user: administrator{'id': '1', 'type': 'VAULT_LOGON', 'sensorType': 'VAULT', 'action': 'Logon', 'createTime': 1597864497000, 'vaultUser': 'Administrator', 'source': {'mOriginalAddress': '1.1.1.1', 'mResolvedAddress': {'mOriginalAddress': '1.1.1.1', 'mAddress': '1.1.1.1', 'mHostName': '1-2-3-4', 'mFqdn': '1-2-3-4'}}, 'cloudData': {}} 1597864497000 1 1597864497000 OPEN 25.751749103263528 VaultViaIrregularIp station: 1.1.1.1
reason: ip
vault_user: administrator{'id': '2', 'type': 'VAULT_LOGON', 'sensorType': 'VAULT', 'action': 'Logon', 'createTime': 1597864209000, 'vaultUser': 'Administrator', 'source': {'mOriginalAddress': '1.1.1.1', 'mResolvedAddress': {'mOriginalAddress': '1.1.1.1', 'mAddress': '1.1.1.1', 'mHostName': '1-2-3-4', 'mFqdn': '1-2-3-4'}}, 'cloudData': {}} 1597864209000 2 1597864209000 OPEN 25.751749103263528 VaultViaIrregularIp